Bug 24337 - libarchive new security issues CVE-2019-1000019 and CVE-2019-1000020
Summary: libarchive new security issues CVE-2019-1000019 and CVE-2019-1000020
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-10 20:37 CET by David Walser
Modified: 2019-02-13 12:10 CET (History)
5 users (show)

See Also:
Source RPM: libarchive-3.3.3-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-02-10 20:37:46 CET
Ubuntu has issued an advisory on February 7:
https://usn.ubuntu.com/3884-1/

Mageia 6 is also affected.
David Walser 2019-02-10 20:37:57 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2019-02-11 02:35:50 CET
Advisory:
========================

Updated libarchive packages fix security vulnerabilities:

libarchive contains an out-of-bounds read vulnerability in 7zip decompression,
archive_read_support_format_7zip.c, header_bytes() that can result in a crash
(denial of service). This attack appears to be exploitable via the victim
opening a specially crafted 7zip file (CVE-2019-1000019).

libarchive contains an infinite loop vulnerability in the ISO9660 parser,
archive_read_support_format_iso9660.c, read_CE()/parse_rockridge() that can
result in DoS by infinite loop. This attack appears to be exploitable via the
victim opening a specially crafted ISO9660 file (CVE-2019-1000020).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1000020
https://usn.ubuntu.com/3884-1/
========================

Updated packages in core/updates_testing:
========================
libarchive13-3.3.1-1.5.mga6
libarchive-devel-3.3.1-1.5.mga6
bsdtar-3.3.1-1.5.mga6
bsdcpio-3.3.1-1.5.mga6
bsdcat-3.3.1-1.5.mga6

from libarchive-3.3.1-1.5.mga6.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Herman Viaene 2019-02-11 14:27:28 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Used tests as in bug24075 Comment 5
$ cd Afbeeldingen/
$ ls
001rgba.tiff   34815267.pcx     gray1dit.tif                       P7212390.ORF
001.tif*       34815267.png     gray1.jpg                          P7212390.ORF.pp3
002.tif*       34815267.ps      gray1.tif                          P7212391.ORF
003.tif*       34815321.jpg     gray2.jpg                          P7212392.ORF
004.tif*       34815321rot.png  heap-buffer-overflow-readbmpimage  RawLen/
...and more in total 56 objects
$ bsdtar -c -f ~/archtar *
checked archtar with engrampa: all is there
$ cd ../tmp
$ bsdtar -x -f /home/tester6/archtar 
checked pictures in tmp: all OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 3 Len Lawrence 2019-02-11 18:44:14 CET
mga6, x86_64
A couple of POC available.

https://github.com/libarchive/libarchive/pull/1120

*Before updating*

CVE-2019-1000019
$ xxd -r crash.7z.txt crash.7z
$ bsdtar -xf crash.7z
Segmentation fault (core dumped)

CVE-2019-1000020
$ xxd -r rrforever.iso.txt rrforever.iso
$ bsdtar -xf rrforever.iso
Hung.....

Updated the packages.
- bsdcat-3.3.1-1.5.mga6.x86_64
- bsdcpio-3.3.1-1.5.mga6.x86_64
- bsdtar-3.3.1-1.5.mga6.x86_64
- lib64archive-devel-3.3.1-1.5.mga6.x86_64
- lib64archive13-3.3.1-1.5.mga6.x86_64
- lib64avahi-client-devel-0.6.32-1.1.mga6.x86_64

* After updating *

$ bsdtar -xf crash.7z
bsdtar: Damaged 7-Zip archive
bsdtar: Error exit delayed from previous errors.

$ bsdtar -xf rrforever.iso
bsdtar: Tried to parse Rockridge extensions, but none found
bsdtar: Error exit delayed from previous errors.

Those are good.

Following Herman's lead:
$ du -hs .
67M	.
$ cd ..
$ bsdtar -cf qatest libarchive
$ ll qatest
-rw-r--r-- 1 lcl lcl 69567488 Feb 11 17:20 qatest
$ engrampa qatest
< contents OK >
$ bsdtar -tf qatest
libarchive/
[...]
$ bsdtar -xf qatest
$ ls libarchive
crash.7z         oob.iso  report.24337       temp/
crash.7z.txt     oob.lha  rrforever.iso      vgcore.31453
hardware.txt.gz  report   rrforever.iso.txt
$ temp/checkmydiary
Displayed imminent events in a popup.

Good for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2019-02-11 18:44:45 CET

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 4 Thomas Andrews 2019-02-12 02:24:15 CET
Looks good to me, guys. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2019-02-13 03:29:32 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2019-02-13 12:10:46 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0074.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.